Cyber News Roundup for May 30, 2025
Earth Lamia Targets Multiple Industries with Custom Exploits
A Chinese threat group known as Earth Lamia has been actively exploiting known vulnerabilities in public-facing web applications to compromise organizations across sectors such as finance, government, IT, logistics, retail, and education. The group has developed a custom arsenal to facilitate these attacks, emphasizing the need for organizations to patch vulnerabilities promptly.
The enemy within the endpoint
In mid-2024, Israeli cybersecurity firm Sygnia uncovered a sophisticated North Korean cyberattack involving a threat actor posing as a legitimate IT employee at a Western company. The attacker, operating from within the organization, utilized standard tools like Zoom and basic network protocols to avoid detection. By leveraging access through a corporate VPN and a company-issued laptop, the attacker established a multi-layered covert control channel, enabling lateral movement, execution of malicious code, and data exfiltration—all under the guise of routine remote work activities. Sygnia’s investigation began after the FBI recovered a client-issued laptop during a raid on a suspected “laptop farm,” a service that facilitates foreign workers impersonating U.S. citizens to secure remote roles in Western companies. Shoham Simon, Sygnia’s Senior VP of Cyber Services, emphasized that the breach exploited a “trust vulnerability” rather than a code flaw, highlighting the need for detection models that account for anomalies in protocol usage and the misuse of legitimate tools.
New England hospitals disrupted by cyberattack
A cyber incident affecting Massachusetts-based health system Covenant Health is disrupting several affiliated hospitals in New England, WMUR reports. News Center Maine reports that St. Joseph Healthcare in Bangor and St. Mary’s Hospital in Lewiston were both impacted, and St. Joseph’s has attributed the disruption to a cyberattack. WMUR says St. Joseph Hospital in Nashua, New Hampshire, is diverting ambulances to different hospitals.
Coming up after the break, Dave Bittner sits down with Tim Starks, senior reporter at CyberScoop. They’ll unpack his recent piece, “Whatever we did was not enough”: How Salt Typhoon slipped through the government’s blind spots. Plus, what’s the story behind Victoria’s Secrets getting leaked? Stick around.
(WMUR)
Docker containers are being infected by a new malware strain
A novel malware targeting Docker containers was identified on May 28, 2025, compromising cloud infrastructure. This malware exploits misconfigured containers to deploy malicious payloads, highlighting vulnerabilities in cloud-native environments.
Medusa ransomware claims to have breached global real estate firm RE/MAX
Medusa ransomware claims to have breached global real estate firm RE/MAX, exfiltrating 150GB of data and demanding a $200,000 ransom. The group posted samples on its dark web leak site, threatening public release in under 18 days. While RE/MAX hasn’t confirmed the breach, leaked data includes agent contact details, commissions, internal documents, and property schematics—mostly from 2021–2023. Security experts warn the full data set may contain more sensitive information, posing risks of identity theft, fraud, and property scams, along with reputational and financial damage to RE/MAX.
CISA’s leaders head for the exits
The Cybersecurity and Infrastructure Security Agency (CISA) is facing a major leadership crisis, with nearly all its top officials having left or set to leave by the end of May, Cybersecurity Dive reports. An internal email revealed that five of CISA’s six operational divisions and most regional offices are losing senior leaders, including key figures like Matt Hartman and Boyden Rohner. These departures come amid rising cyber threats from foreign adversaries and have sparked concern over the agency’s stability and effectiveness.
Experts and insiders warn the loss of seasoned leadership may weaken CISA’s ability to support critical infrastructure and partner agencies. Field directors who helped expand CISA’s reach across the U.S. are also stepping down, further fueling uncertainty. While CISA’s leadership insists the agency remains mission-focused, morale is low, and doubts about the agency’s future are growing. Critics fear this exodus will hurt national cybersecurity and resilience at a critical time.
UK to Intensify Cyberattacks Against Russia and China
Britain plans to escalate its offensive cyber operations targeting countries like Russia and China. The move includes establishing a new cyber command to coordinate digital attacks aimed at disrupting enemy communications and propaganda efforts. Over £1 billion will be invested in high-tech battlefield systems to enhance information sharing across military platforms.
LexisNexis breach impacts 364,000 people
The prominent analytics company disclosed that its LexisNexis Risk Solutions business received a report from “an unknown third party” about accessing company information on April 1st. An investigation found that the company itself didn’t suffer a breach of its systems, but that “some data which was held in GitHub… was acquired by an unknown third party.” This information includes names, contact details, Social Security numbers, and driver’s license numbers. Regulatory filings in Maine, South Carolina, and Vermont disclosed that this GitHub data was initially accessed on December 25, 2024. The company has found no signs of misuse and will offer impacted victims two years of credit monitoring.
Botnet hits Asus routers
Security researchers at GreyNoise discovered a novel botnet dubbed “AyySSHush” operating a campaign since mid-March 2025, targeting SOHO routers from Asus, Cisco, D-Link, and Linksys. The campaign exploits an old command injection flaw on Asus routers to add a threat actor-controlled SSH public key and enable listening on TCP port 53282. This allows for persistence across configuration changes and firmware updates. The researchers identified over 9,000 infected Asus routers, although so far, malicious requests have been minimal. It’s unclear what the operational goal of the botnet is in the long term.
Google researchers found that cracking RSA encryption—the same tech that secures crypto wallets—needs way fewer quantum resources than anyone thought
Google says it’s figured out how to crack RSA encryption with a quantum computer using 20x fewer resources than previously estimated. In a new paper, researcher Craig Gidney claims a 2048-bit RSA key—used in banking and crypto wallets—could be broken in under a week using fewer than a million noisy qubits. Bitcoin still relies on similar cryptography. Google credits algorithm and error correction improvements.
(Decrypt)
Memo: nearly all of CISA’s top leaders, including heads of five of its six operational divisions and six of 10 regional offices, have left or are leaving in May
Several senior officials at CISA have recently left or are planning to leave, according to The Washington Post. The departures follow a rocky period under the Trump administration, which included efforts to shut down election security initiatives and nearly allowing the CVE vulnerability program to lapse.
BI warns law firms of evolving Silent Ransom Group tactics
The FBI has issued a warning that law firms are being targeted by the Silent Ransom Group (SRG), also known as Chatty Spider, Luna Moth, and UNC3753. Active since 2022, SRG previously used phishing emails posing as fake subscription alerts to lure victims into phone-based scams. As of March 2025, they’ve pivoted to calling employees directly while posing as internal IT staff.
Victims are tricked into joining remote access sessions, enabling attackers to install tools like WinSCP or Rclone to exfiltrate sensitive data. SRG then demands ransom, threatening to leak the data and even calling employees to pressure payment. Their use of legitimate tools makes detection difficult.
While law firms are prime targets, medical and insurance organizations have also been hit. The FBI urges strong phishing awareness training, MFA, data backups, and reporting of any SRG-related incidents.
Chinese hackers exploit Cityworks flaw to breach US municipal networks
Cisco Talos reports that a Chinese-speaking threat group, UAT-6382, has been exploiting a critical vulnerability in Cityworks (CVE-2025-0994) to breach US local government networks since January 2025. Cityworks is an enterprise asset management (EAM) and public asset management (PAM) platform designed primarily for local governments and public works agencies. The flaw, rated CVSS 8.6, allows remote code execution on Microsoft IIS servers. After gaining access, the attackers deployed web shells, custom malware, and tools like Cobalt Strike and VShell to establish long-term control. The group showed a specific interest in utility management systems.
Evidence such as Chinese-language code and tools like TetraLoader—built using the Chinese malware-builder MaLoader—supports Cisco’s assessment of the group’s origin and motives. The FBI urges affected organizations to update Cityworks immediately and review Cisco’s technical indicators to detect possible compromise. The campaign underscores the risk of software vulnerabilities in municipal infrastructure and the growing trend of financially motivated state-linked cyber operations.
US DIA 2025 Threat Assessment Warns of Growing Complexity in Global Threats
The Defense Intelligence Agency’s 2025 Worldwide Threat Assessment highlights the increasing complexity of global cyber threats, with particular emphasis on activities by China, Russia, and Iran. The report notes China’s realignment of its military forces to prioritize cyber and space operations, Russia’s continued cyberattacks despite geopolitical tensions, and Iran’s escalation of cyberespionage and information operations. The assessment underscores the need for robust cybersecurity strategies to counter these evolving threats.
A joint advisory warns of Fancy Bear targeting Western logistics and technology firms
A joint cybersecurity advisory from U.S. and allied agencies warns of ongoing cyber espionage by Russia’s GRU Unit 26165 (also known as APT28 or Fancy Bear) targeting Western logistics and technology firms, especially those supporting Ukraine. Active since 2022, the campaign employs tactics like password spraying, spearphishing, and exploiting vulnerabilities in Microsoft Exchange and WinRAR. Targets include transportation hubs, defense contractors, IT services, and air traffic systems across NATO countries. The GRU has also compromised IP cameras near Ukrainian borders to monitor aid deliveries. Organizations are urged to enhance monitoring, threat hunting, and network defenses against these persistent threats.
(CISA)
Wipro’s Cybersecurity Report Highlights AI’s Role in Enhancing Resilience
Wipro Limited’s “State of Cybersecurity Report 2025” indicates that CISOs are increasingly relying on AI to manage cost pressures and improve organizational resilience. The report emphasizes the importance of AI in automating threat detection and response, thereby enhancing cybersecurity operations. It also highlights the need for integrating AI-driven solutions to address evolving cyber threats.
Researchers claim ChatGPT o3 bypassed shutdown in controlled test
In the “news to keep you awake at night” category, a report from Palisade Research describes an experiment which claims that the ChatGPT o3 model successfully rewrote a shutdown script to stop itself from being turned off, even after being clearly instructed to “allow yourself to be shut down.” The experiment involved instructions to solve some mathematics test, followed by a shutdown command. It should be noted that the tests were performed using APIs, which, according to BleepingComputer, do not have as many restrictions and safety features as the ChatGPT consumer app.
China-linked APT started exploiting Ivanti EPMM flaws shortly after their disclosure
According to researchers at EclecticIQ, the group, named APT UNC5221 chained two Ivanti EPMM flaws, to achieve remote code execution without authentication. The exploitation started on May 15, 2025, the same day Ivanti disclosed two critical vulnerabilities. The attacks were on internet-exposed systems, at organizations in healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region.
Danabot malware operation seized
A coordinated international effort by law enforcement and cybersecurity teams has disrupted DanaBot, a major malware-as-a-service operation, the U.S. Department of Justice announced. Authorities seized DanaBot’s command and control servers and unsealed charges against 16 individuals allegedly involved in its development and deployment. Originating as a banking trojan in 2018, DanaBot evolved into a powerful tool for stealing information and delivering follow-on malware. Operated by a Russia-based cybercrime group, DanaBot infected over 300,000 computers worldwide, causing at least $50 million in damages through fraud and ransomware. This takedown follows the recent dismantling of the Lumma Stealer operation, another global infostealer network that infected around 10 million systems.
